We claim: 

4. A computer program product for providing end-to-end user authentication for legacy host 
application access, said computer program product embodied on a computer-readable medium 
reaakble by a computing device in a computing environment and comprising: 

computer-readable program code means for establishing a secure session from a client 
machine tcm server machine using a digital certificate representing said client machine or a user 
thereof; \ 

computqr-readable program code means for storing said digital certificate at said server 
machine; \ 

computer-readable program code means for establishing a session from said server 
machine to a host systeta using a legacy host communication protocol; 

computer-readables program code means for passing said stored digital certificate from 
said server machine to a host access security system; 

computer-readable program code means, operable in said host access security system, for 
using said passed digital certificate to locate access credentials for said user; 

computer-readable programvcode means for accessing a stored password or a generated 
password substitute representing said>pcated credentials; and 

computer-readable program codameans for using said stored password or said generated 
password substitute to transparently log saM user on to a secure legacy host application executing 
at said host system. \ 



2. The computer program product as claimed\n Claim 1, wherein said digital certificate is an 
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X.509 certificate. 

3. The computer program product as claimed in Claim 1 or Claim 2, wherein said 
communication protocol is a 3270 emulation protocol. 

4. The computer Vogram product as claimed in Claim 1 or Claim 2, wherein said 
communication protocol \s a 5250 emulation protocol. 

5. The computer program^ product as claimed in Claim 1 or Claim 2, wherein said 
communication protocol is a Virtual Terminal protocol. 

6. The computer program product as claimed in Claim 3, wherein said host access security 
system is a Resource Access Control Facility (RACF) system. 

7. The computer program product as claimed in Claim 1, wherein said server machine is a 
Web application server machine. \ 

8. The computer program product as claimed irk Claim 1, further comprising: 
computer-readable program code means for requesting by said legacy host application, 

responsive to said computer-readable program code meahs for establishing said session, log on 
information for said user; \ 

computer-readable program code means for responding to said request for log on 
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6 information by sending a log on message with placeholders from said client machine to said server 

7 machine, said placeholders representing a user identification and a password of said user; and 

8 computer-readable program code means for substituting a user identifier associated with 

9 said located access credentials and said stored password or said generated passticket for said 
10 placeholders in said log on message. 
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9. The computer program product as claimed in Claim 7, further comprising: 

computer-readable program code means for requesting by said legacy host application, 

responsive to said computer-readable program code means for establishing said session, log on 

information for said userVandJ 

computer-readable WogVam code means for responding to said request for log on 

information by supplying a user identifier associated with said located access credentials and said 

stored password or said generated passticket at said server machine. 

■Vn \ 

1 Q. A system for providing end-to-end user authentication for legacy host application access 

in a^fcomputing environment, comprising: 

means for establishing a secure session from a client machine to a server machine using a 
digital certificate representing said client machine or a user thereof; 

means for storing saicKdigital certificate at said server machine; 

means for establishing a s^sion from said server machine to a host system using a legacy 
host communication protocol; 

means for passing said stored digits certificate from said server machine to a host access 
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meahs, operable in said host access security system, for using said passed digital certificate 
to locate access credentials for said user; 

means ibr accessing a stored password or a generated password substitute representing 
said located credentials; and 



\ 



means for using said stored password or said generated password substitute to 
transparently log saidVxser on to a secure legacy host application executing at said host system. 



1 11. The system as claimed in Claim 10, wherein said digital certificate is an X.509 certificate. 



15 12. The system as claimed in\Claim 10 or Claim 11, wherein said communication protocol is a 



iy 3270 emulation protocol. 

iH 



13. The system as claimed in Claim 1^0 or Claim 1 1, wherein said communication protocol is a 
24 5250 emulation protocol 



1 14. The system as claimed in Claim 10 or Claim 1 1, wherein said communication protocol is a 

2 Virtual Terminal protocol. 

1 15. The system as claimed in Claim 12, wherein said li^st access security system is a Resource 

2 Access Control Facility (RACF) system. 
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16. Tttie system as claimed in Claim 10, wherein said server machine is a Web application 
server machine, 

17. The system as claimed in Claim 10, further comprising: 

means Vor requesting by said legacy host application, responsive to said means for 
establishing saia session, log on information for said user; 

means foA responding to said request for log on information by sending a log on message 
with placeholders from said client machine to said server machine, said placeholders representing 
a user identification land a password of said user; and 

means for substituting a user identifier associated with said located access credentials and 
said stored password or said generated passticket for said placeholders in said log on message. 



18. The system as claimed in Claim 16, further comprising: 

means for request! ig^( said^gacy host application, responsive to said means for 
establishing said session, log dn'lhformation for said user; and 

means for respondma toWid request for log on information by supplying a user identifier 
associated with said located adces\ credentials and said stored password or said generated 
passticket at said server machine. 



A" 



A method for providing end-to-end user authentication for legacy host application access 



in Vcomputing environment, comprising th&steps of: 

establishing a secure session from a cliW machine to a server machine using a digital 
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4 certificate representing said client machine or a user thereof; 

5 storing said digital certificate at said server machine; 

6 establishing a session from said server machine to a host system using a legacy host 

7 communication protocol; 

8 passing said stored digital certificate from said server machine to a host access security 

9 system; \ 

10 using, by said ho\t access security system, said passed digital certificate to locate access 

11 credentials for said user; \ 

12 accessing a stored password or a generated password substitute representing said located 
13j3 credentials; and \ 

14j using said stored password or said generated password substitute to transparently log said 

; T= \ 

1 fjry user on to a secure legacy host application executing at said host system. 

m \ 

it! 20. The method as claimed in Claim 19, wherein said digital certificate is an X.509 certificate. 

"St \ 

is. \ 

=y \ 

21. The method as claimed in Claim 19 or Claim 20, wherein said communication protocol is a 

2 3270 emulation protocol. \ 

1 22. The method as claimed in Claim 19 or Claim 20, wherein said communication protocol is a 

2 5250 emulation protocol \ 

1 23. The method as claimed in Claim 19 or Claim 20, wherein said communication protocol is a 
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VirtualVTerminal protocol. 



24. The method as claimed in Claim 21, wherein said host access security system is a 
Resource Access Control Facility (RACF) system. 

25. The mer(iod as claimed in Claim 19, wherein said server machine is a Web application 
server machine. 

26. The method a\ claimed in Claim 19, further comprising the steps of: 
requesting by said legacy host application, responsive to said step of establishing said 

session, log on information for said user; 

responding to said request for log on information by sending a log on message with 
placeholders from said client machine to said server machine, said placeholders representing a 
user identification and a password of said user; and 

substituting a user identifier^associated with said located access credentials and said stored 
password or said generated passticket for said placeholders in said log on message. 

27. The method as claimed K in^aim 2^Urther comprising the steps of: 
requesting by said legacy hosUfpplication, responsive to said step of establishing said 

session, log on information for sot user; and 

responding to said request far log on information by supplying a user identifier associated 
with said located access credentials a™ said stored password or said generated passticket at said 
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